[Dovecot] Dovecot authenticating---> Active Directory Win2003
Hello list,
I have installed 4 Etch, with dovecot 1.0.rc15-2, and I wanted that when the users make IMAP/POP3, the dovecot verifies the user/passwd in a Active Directory of Windows 2003.
Greetings
-- Usemos el Software Libre "Con todos y para el bien de todos"
Michel Vega Fuenzalida Usuario Linux: 353763 Coordinador del Grupo Linux Pinero Técnico de Laboratorio Centro Universitario "Jesús Montané Oropesa" Isla de la Juventud Cuba
La jornada de homenaje a los trabajadores de nuestro sector se desarrollará del 15 al 22 de diciembre. Cuyo lema central es " La Revolución tiene una fe infinita en los presentes y futuros educadores".
On 12/8/2008, Michel Vega Fuenzalida (mvega@cuij.co.cu) wrote:
I have installed 4 Etch, with dovecot 1.0.rc15-2
Please upgrade... it really isn't worth trying to troubleshoot something so old (and known to have many issues)...
Use a different repo if you have to...
--
Best regards,
Charles
2008/12/8 Charles Marcus CMarcus@media-brokers.com:
On 12/8/2008, Michel Vega Fuenzalida (mvega@cuij.co.cu) wrote:
I have installed 4 Etch, with dovecot 1.0.rc15-2
Please upgrade... it really isn't worth trying to troubleshoot something so old (and known to have many issues)...
Use a different repo if you have to...
--
Best regards,
Charles
Use dovocot from backports.org. It is stable. I have no trouble with this version.
Tomasz.
You have to use LDAP as Authentication Backend with Port 3268.
On Mon, Dec 08, 2008 at 02:43:53PM +0100, Thomas Siebert wrote:
You have to use LDAP as Authentication Backend with Port 3268.
That works but has 3 main drawbacks:
- It is a pain to setup SSL LDAP on both windows and linux. If you don't do this then it is massively insecure
- Passwords must be exchanged in plain text over IMAP. Also no single sign on capabilities.
- There is no redundancy or load balancing if you have multiple ADS servers
The *best* answer is to use a combination of samba's winbind and kerberos. This gives you encryption and mutual authentication between dovecot and the ADS server and various non-plaintext options between the client and dovecot - plus single sign on capabilities for SSPI or kerberdized clients.
Use dovecot's pam support to call out to pam_winbind/pam_krb5, and the native support to call out to winbind for ntlm and spnego. Dovecot's native gssapi kerberos rounds things out.
The basic steps are
- Get samba, winbind, dovecot, kerberos installed 1a) Setup smb.conf with the proper ADS options Note you do not need to run nmbd or smbd, just winbind.
- Use samba to join the machine to the domain with 'net ads join -U Administrator' Verify in ADS you have a computer with the proper name
- Create an imap keytab entry 'net ads keytab imap/host@REALM' Also tell windows imap is allowed for this host via the gui or adsiedit/ldapedit/etc
- Start winbind
- Setup dovecot 5a) Setup pma_winbind for dovecot
- Test on the dovecot machine: net ads testjoin wbinfo -n mywinuser klist -k kinit mywinuser@REALM kvno imap/host@REALM
check DNS that host has proper forward and reverse entries
telnet localhost imap 1 CAPABILITIY * CAPABILITY [..] AUTH=PLAIN AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=LOGIN AUTH=NTLM
I also have exim setup to use dovecot SASL and so it also does NTLM, GSSAPI and SPNEGO.
There is alot of information about this scattered on various web sites. The method I've outlined above is the lastest scheme using the newer software. Some reference material uses older techniques...
In my experience pretty much every client supports some version of NTLM, so passwords will be exchanged non-plaintext in most cases (though weak flavors of NTLM might be negotiated). Many clients like thunderbird support kerberos, and so on windows you get single sign on too. Most linux clients also support kerberos so can gen single sign on for them too with some setup.
Here are some config fragments you might find helpful
smb.conf: [global] netbios name = host workgroup = FOO realm = ADS.FOO security = ads use kerberos keytab = true encrypt passwords = true winbind use default domain = yes
Dovecot:
auth_ntlm_use_winbind = yes auth_username_format = %n auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain gssapi gss-spnego login ntlm passdb pam {}
-----Original Message----- From: dovecot-bounces+siebert+lists=et.rub.de@dovecot.org [mailto:dovecot-bounces+siebert+lists=et.rub.de@dovecot.org] On Behalf Of Jason Gunthorpe Sent: Tuesday, December 09, 2008 12:13 AM To: Thomas Siebert; Michel Vega Fuenzalida Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Dovecot authenticating---> Active Directory Win2003
On Mon, Dec 08, 2008 at 02:43:53PM +0100, Thomas Siebert wrote:
You have to use LDAP as Authentication Backend with Port 3268.
That works but has 3 main drawbacks:
- It is a pain to setup SSL LDAP on both windows and linux. If you don't do this then it is massively insecure
Agreed, if you don't it is massively insecure. But I don't see why it should be that complicated. For the ADS, Microsoft gives advice: http://support.microsoft.com/kb/321051
...and for Linux, there are tons of tutorials.
- Passwords must be exchanged in plain text over IMAP. Also no single sign on capabilities.
Agreed there's no single sign on. But for plain text password exchange, there's no drawback when you use IMAPS or POP3S. And you should always do so.
- There is no redundancy or load balancing if you have multiple ADS servers
The *best* answer is to use a combination of samba's winbind and kerberos. This gives you encryption and mutual authentication between dovecot and the ADS server and various non-plaintext options between the client and dovecot - plus single sign on capabilities for SSPI or kerberdized clients.
For load balancing, it should be possible to use a round-robin DNS server instead. And you forget that the numbers of LDAP queries will be doubled as there's no possibility to use userdb prefetch.
Use dovecot's pam support to call out to pam_winbind/pam_krb5, and the native support to call out to winbind for ntlm and spnego. Dovecot's native gssapi kerberos rounds things out.
The basic steps are
- Get samba, winbind, dovecot, kerberos installed 1a) Setup smb.conf with the proper ADS options Note you do not need to run nmbd or smbd, just winbind.
- Use samba to join the machine to the domain with 'net ads join -U Administrator' Verify in ADS you have a computer with the proper name
- Create an imap keytab entry 'net ads keytab imap/host@REALM' Also tell windows imap is allowed for this host via the gui or adsiedit/ldapedit/etc
- Start winbind
- Setup dovecot 5a) Setup pma_winbind for dovecot
- Test on the dovecot machine: net ads testjoin wbinfo -n mywinuser klist -k kinit mywinuser@REALM kvno imap/host@REALM
check DNS that host has proper forward and reverse entries
telnet localhost imap 1 CAPABILITIY * CAPABILITY [..] AUTH=PLAIN AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=LOGIN AUTH=NTLM
I also have exim setup to use dovecot SASL and so it also does NTLM, GSSAPI and SPNEGO.
There is alot of information about this scattered on various web sites. The method I've outlined above is the lastest scheme using the newer software. Some reference material uses older techniques...
In my experience pretty much every client supports some version of NTLM, so passwords will be exchanged non-plaintext in most cases (though weak flavors of NTLM might be negotiated). Many clients like thunderbird support kerberos, and so on windows you get single sign on too. Most linux clients also support kerberos so can gen single sign on for them too with some setup.
Here are some config fragments you might find helpful
smb.conf: [global] netbios name = host workgroup = FOO realm = ADS.FOO security = ads use kerberos keytab = true encrypt passwords = true winbind use default domain = yes
Dovecot:
auth_ntlm_use_winbind = yes auth_username_format = %n auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain gssapi gss-spnego login ntlm passdb pam {}
On Tue, Dec 09, 2008 at 01:57:43PM +0100, Thomas Siebert wrote:
That works but has 3 main drawbacks:
- It is a pain to setup SSL LDAP on both windows and linux. If you don't do this then it is massively insecure
Agreed, if you don't it is massively insecure. But I don't see why it should be that complicated. For the ADS, Microsoft gives advice: http://support.microsoft.com/kb/321051
...and for Linux, there are tons of tutorials.
Right, it isn't impossible, but setting up a CA, generating certs, installing them and enabling the magic feature (on all your ADS servers) is much more work than setting up winbind :)
- Passwords must be exchanged in plain text over IMAP. Also no single sign on capabilities.
Agreed there's no single sign on. But for plain text password exchange, there's no drawback when you use IMAPS or POP3S. And you should always do so.
Well, the security advantage to all the hashing schemes is that a compromise of your imap server does not result in a plain text password disclosure for all users.
For load balancing, it should be possible to use a round-robin DNS server instead. And you forget that the numbers of LDAP queries will be doubled as there's no possibility to use userdb prefetch.
I looked at load balancing with SSL LDAP once and rapidly ran into trouble with certificate validation issues. The SSL certs in the ADS should have unique machine names which was incompatible with a DNS round robin. The new SRV record processing code in openldap is supposed to avoid that problem though.
Also, winbind doesn't actually authenticate over ldap, it uses a much lower overhead UDP protocol...
Once you no longer need to do authentication over ldap it becomes possible to maintain a long term kerberdized LDAP session for user database queries if you need that (though I suppose dovecot cannot do that today).. Removing the per-user SSL setup cost would easially gain back any overheads from even the most expensive authentication operation that winbind does..
Heck, even being able to do a root-owned kerberdized LDAP query would be a nice dovecot feature for ADS integration since it removes the need for SSL setup entirely. Once samba joins an ADS domain root has access to the host$ ticket and can do secured ldap queries using the machine account.
Jason
The only problem with that is that then all of the AD users will have a virtual account. This includes built-in accounts in AD.
I would take the take to do LDAP queries against AD and do it so that it searches the "mail" attribute for the objectClass person. Then in order to (lets call it activate) activate the user for pop3/imap authentication you need to fill up the mail field in the user properties in your AD.
I agree with that LDAP is insecure, but using pam_krb5/pam_winbind will make every single account accessible from pop3/imap
On 12/8/08 5:12 PM, "Jason Gunthorpe" jgunthorpe@obsidianresearch.com wrote:
On Mon, Dec 08, 2008 at 02:43:53PM +0100, Thomas Siebert wrote:
You have to use LDAP as Authentication Backend with Port 3268.
That works but has 3 main drawbacks:
- It is a pain to setup SSL LDAP on both windows and linux. If you don't do this then it is massively insecure
- Passwords must be exchanged in plain text over IMAP. Also no single sign on capabilities.
- There is no redundancy or load balancing if you have multiple ADS servers
The *best* answer is to use a combination of samba's winbind and kerberos. This gives you encryption and mutual authentication between dovecot and the ADS server and various non-plaintext options between the client and dovecot - plus single sign on capabilities for SSPI or kerberdized clients.
Use dovecot's pam support to call out to pam_winbind/pam_krb5, and the native support to call out to winbind for ntlm and spnego. Dovecot's native gssapi kerberos rounds things out.
The basic steps are
- Get samba, winbind, dovecot, kerberos installed 1a) Setup smb.conf with the proper ADS options Note you do not need to run nmbd or smbd, just winbind.
- Use samba to join the machine to the domain with 'net ads join -U Administrator' Verify in ADS you have a computer with the proper name
- Create an imap keytab entry 'net ads keytab imap/host@REALM' Also tell windows imap is allowed for this host via the gui or adsiedit/ldapedit/etc
- Start winbind
- Setup dovecot 5a) Setup pma_winbind for dovecot
- Test on the dovecot machine: net ads testjoin wbinfo -n mywinuser klist -k kinit mywinuser@REALM kvno imap/host@REALM
check DNS that host has proper forward and reverse entries
telnet localhost imap 1 CAPABILITIY * CAPABILITY [..] AUTH=PLAIN AUTH=GSSAPI AUTH=GSS-SPNEGO AUTH=LOGIN AUTH=NTLM
I also have exim setup to use dovecot SASL and so it also does NTLM, GSSAPI and SPNEGO.
There is alot of information about this scattered on various web sites. The method I've outlined above is the lastest scheme using the newer software. Some reference material uses older techniques...
In my experience pretty much every client supports some version of NTLM, so passwords will be exchanged non-plaintext in most cases (though weak flavors of NTLM might be negotiated). Many clients like thunderbird support kerberos, and so on windows you get single sign on too. Most linux clients also support kerberos so can gen single sign on for them too with some setup.
Here are some config fragments you might find helpful
smb.conf: [global] netbios name = host workgroup = FOO realm = ADS.FOO security = ads use kerberos keytab = true encrypt passwords = true winbind use default domain = yes
Dovecot:
auth_ntlm_use_winbind = yes auth_username_format = %n auth_winbind_helper_path = /usr/bin/ntlm_auth mechanisms = plain gssapi gss-spnego login ntlm passdb pam {}
Romer Ventura Network Administrator Houston-Sigma Technologies, L.P. 1333 Industrial Blvd. Sugar Land Tx. 77478 Voice 281-295-5017 rventura@h-st.com
Hello,
I am trying to use userdb prefetch so that I don't do an extra LDAPlookup and I am having some problems:
Here is my dovecot-ldap.conf # cat /etc/dovecot/dovecot-ldap.conf hosts = 192.168.50.30 192.168.50.31 base = ou=HST-Users,dc=h-st,dc=com ldap_version = 3 auth_bind = yes dn = cn=ldap,cn=Users,dc=h-st,dc=com dnpass = <PASSWORD> user_attrs = sAMAccountName=mail=maildir:/home/vmail/%Ud/%Ln/Maildir/,=gid=1000,=uid=1001 user_filter = (&(objectClass=person)(mail=%u)) #pass_attrs = sAMAccountName=mail=maildir:/home/vmail/%Ud/%Ln/Maildir/,=gid=1000,=uid=1001 pass_filter = (&(objectClass=person)(mail=%u))
This works just fine and it only authenticates if the user's email field has an email address, which is what I want.
But I cant get it to work with prefetch. How could I accomplish that..?
Thanks
"auth_bind = yes" is incompatible with prefetch.
http://wiki.dovecot.org/UserDatabase/Prefetch
-----Original Message----- From: dovecot-bounces+siebert+lists=et.rub.de@dovecot.org [mailto:dovecot-bounces+siebert+lists=et.rub.de@dovecot.org] On Behalf Of Romer Ventura Sent: Tuesday, December 09, 2008 9:44 PM To: 'Dovecot Mailing List' Subject: [Dovecot] Prefetch help
Hello,
I am trying to use userdb prefetch so that I don't do an extra LDAPlookup and I am having some problems:
Here is my dovecot-ldap.conf # cat /etc/dovecot/dovecot-ldap.conf hosts = 192.168.50.30 192.168.50.31 base = ou=HST-Users,dc=h-st,dc=com ldap_version = 3 auth_bind = yes dn = cn=ldap,cn=Users,dc=h-st,dc=com dnpass = <PASSWORD> user_attrs = sAMAccountName=mail=maildir:/home/vmail/%Ud/%Ln/Maildir/,=gid=1000,=uid =1001 user_filter = (&(objectClass=person)(mail=%u)) #pass_attrs = sAMAccountName=mail=maildir:/home/vmail/%Ud/%Ln/Maildir/,=gid=1000,=uid =1001 pass_filter = (&(objectClass=person)(mail=%u))
This works just fine and it only authenticates if the user's email field has an email address, which is what I want.
But I cant get it to work with prefetch. How could I accomplish that..?
Thanks
On Wed, 2008-12-10 at 07:09 +0100, Thomas Siebert wrote:
"auth_bind = yes" is incompatible with prefetch.
auth_bind_userdn is incompatible, not auth_bind.
On Tue, 2008-12-09 at 14:44 -0600, Romer Ventura wrote:
Hello,
I am trying to use userdb prefetch so that I don't do an extra LDAPlookup and I am having some problems:
Here is my dovecot-ldap.conf # cat /etc/dovecot/dovecot-ldap.conf hosts = 192.168.50.30 192.168.50.31 base = ou=HST-Users,dc=h-st,dc=com ldap_version = 3 auth_bind = yes
Auth binding is currently doing one lookup to get the DN for the user. If your DN fits to a template, you could set auth_bind_userdn setting to avoid the initial lookup. That way you would get the same result as with prefetch: two LDAP lookups.
dn = cn=ldap,cn=Users,dc=h-st,dc=com dnpass = <PASSWORD> user_attrs = sAMAccountName=mail=maildir:/home/vmail/%Ud/%Ln/Maildir/,=gid=1000,=uid=1001 user_filter = (&(objectClass=person)(mail=%u)) #pass_attrs = sAMAccountName=mail=maildir:/home/vmail/%Ud/%Ln/Maildir/,=gid=1000,=uid=1001 pass_filter = (&(objectClass=person)(mail=%u))
So, if you don't set auth_bind_userdn, you can set pass_attrs to contain all the same things as user_attrs, except with userdb_ prefix:
pass_attrs = sAMAccountName=userdb_mail=maildir:/home/vmail/%Ud/%Ln/Maildir/,=userdb_gid=1000,=userdb_uid=1001
Although instead of setting uid/gid in the pass/user_attrs, you could just set mail_uid and mail_gid settings in dovecot.conf.
For dovecot.conf then use:
passdb ldap { .. } userdb prefetch { } userdb ldap { .. }
Tomasz Suchodolski wrote:
2008/12/8 Charles Marcus CMarcus@media-brokers.com:
On 12/8/2008, Michel Vega Fuenzalida (mvega@cuij.co.cu) wrote:
I have installed 4 Etch, with dovecot 1.0.rc15-2 Please upgrade... it really isn't worth trying to troubleshoot something so old (and known to have many issues)...
Use a different repo if you have to...
--
Best regards,
Charles
Use dovocot from backports.org. It is stable. I have no trouble with this version.
Or rebuild packages from experimental. Works fine.
~Seth
participants (8)
-
Charles Marcus
-
Jason Gunthorpe
-
Michel Vega Fuenzalida
-
Romer Ventura
-
Seth Mattinen
-
Thomas Siebert
-
Timo Sirainen
-
Tomasz Suchodolski